First thing's first — anyone clinging to this because they believe it's strong evidence suggesting that the DNC (and DCCC) hack could have been
faked by CrowdStrike is wasting their time. Over the last couple years, I have posted about multiple threads of evidence from independent sources, the
details of which have been published. Some examples:

1. We know that in September of 2015, FBI agent Adrian Hawkins
reached out to the DNC to warn them that their network had
possibly been compromised. By all accounts, Hawkins called multiple times over several weeks. The person he reached was an IT contractor named Yared
Tamene who is apparently something of a clown and did not take the calls seriously. Interestingly, Hawkins identified the likely intruders as "the
Dukes," the Russian hackers aka Cozy Bear (CrowdStrike), APT29 (FireEye), etc. It hasn't been reported how the FBI became aware of the intrusion.

2. In March of 2016, Dell's SecureWorks
detected a massive spear phishing campaign in progress through analysis of Bitly shortened URLs. SecureWorks identified the perpetrators as
TG-4127 aka Iron Twilight/Fancy Bear/APT28. This is who phished John Podesta. There's an AP article about it
here that provides details like this:

A malicious link was generated for Podesta at 11:28 a.m. Moscow time, the AP found. Documents subsequently published by WikiLeaks show that
the rogue email arrived in his inbox six minutes later. The link was clicked twice.

Though the heart of the campaign was now
compromised, the hacking efforts continued. Three new volleys of malicious messages were generated on the 22nd, 23rd and 25th of March, targeting
communications director Jennifer Palmieri and Clinton confidante Huma Abedin, among others.

3. Security outfits ThreatConnect and Fidelis have done their own independent research of the DNC/DCCC hacks as well as examining implants from the
servers provided by CrowdStrike. There's an index of some of ThreatConnect's posts
here. I'm not going into everything they've detailed but as an
example:

In building upon Crowdstrike’s analysis, ThreatConnect researched and shared 20160614A: Russia-based groups compromise Democratic National
Committee within the ThreatConnect Common Community. This incident includes the IP address 45.32.129[.]185 which Crowdstrike lists as a FANCY BEAR
X-Tunnel implant Command and Control (C2) node.

Using ThreatConnect’s Farsight passive DNS integration to review the resolution history for 45.32.129[.]185 we uncovered some additional domain
resolutions. One of these domain resolutions is the suspicious domain misdepatrment[.]com (note the transposition of the “t” and the “r” in
department).

The domain misdepatrment[.]com was registered on March 22, 2016. Farsight lists the earliest domain resolution as March 24, 2016.
On April 24th, 2016 the domain misdepatrment[.]com moved from the parking IP Address 5.135.183[.]154 to the FANCY BEAR Command and Control IP Address
45.32.129[.]185 where it remains resolved at of the time of this writing.

The domain misdepatrment[.]com closely resembles the legitimate
domain for misdepartment.com. Of note, MIS Department Inc. is a technology services provider that lists a variety of clients on its website, one of
which is the DNC.

In this case, the domain analyzed, which was registered in March, spoofed the legitimate domain of MIS Department Inc. Remember DNC IT contractor
Yared Tamene? Here's his LinkedIn.

4. There is actually evidence within the leaked emails which couldn't have been faked by CrowdStrike, including the phishing of Podesta and the
targeting of
Alexandra Chalupa's Yahoo mail account. Specifically, there's an email where she informs the DNC leadership that Yahoo's security team (the
"Paranoids") had alerted her that she was the target of a possible state-sponsored phishing campaign. This is all in the WikiLeaks archive of DNC
emails, including an attached screenshot of the alert message she'd received.

That's just some things off the top of my head. Importantly, CrowdStrike couldn't have faked all this evidence unless they started way back in 2015,
created all this infrastructure, conducted a massive spear phishing campaign against thousands of targets, most of them NOT related to the Democrats
or the Clinton campaign and did it masquerading as Russian state sponsored hackers.

And that's a conclusion based only on the publicly available stuff. Even without getting into all the classified methods the NSA has, sources the CIA
employs, what foreign intel agencies shared, etc — there's the nuts and bolts evidence that the FBI would have sought from outside the
DNC/CrowdStrike when investigating any intrusion. Evidence that CrowdStrike could not have faked after the fact to create a hoax.

For example, it's clear from the Mueller indictment that they were given access to the command and control servers used by the hackers to interface
with the implants on the DNC's servers (which were located at two different datacenters in the US). We're talking VPSes that were at the IP addresses
in the implants found on the servers. CrowdStrike couldn't have given that access, it would have come from the ISPs — quite possibly, in the form of
forensic images of the two virtual servers.

There's all sorts of forensic evidence from the attackers' infrastructure that could not have been faked by CrowdStrike. Desperately clinging to this
"but the servers!" talking point in an effort to continue believing that CrowdStrike fabricated everything is wanton willful ignorance.

Shock and Awe, that's the way we do things. You take things from people you are investigating, you don't take things from the victims in an
investigation. Remember, the DNC are supposed to be the victims here.

Time and effort yes. I do not know how many servers they had, but I have heard upwards of 400. Take away even one server and productivity would fall.
They were trying to win an election, if the FBI had taken their servers that would have been a direct hindrance to their bottom line. It would look
100% like political bias (just like Comey "reopening" the Hillary investigation days before the election).

A copy of a drive isn´t a complete copy of the data that is stored in a way or another on it. This is more true for magnetic storage devices
than flash based.

You do not need to educate me on how filesystems work, it´s quiet obvious you´re the one that needs more education in that field.

Depending on the way you "copy" a drive, there will be either just the data present that the filesystem knows it has allocated or in the case of
magnetic drives, you´d need much more precise hardware to read out ALL the partly overwritten lines of 1s and 0s that the allocation table(s) do not
know.

Because with magnetic drives, the arm won´t return to the exact same position everytime. That´s why data recovery is possible with high precision
hardware with way less tolerances. This way you can read out halfway overwritten stuff that DEFINITLY won´t show up when you just copy the drive via
normal filesystem functions.

I hope I could educate you a bit on that.

According to the reporting, the images that were given to the FBI were forensic images which you know would be an exact duplicate including all the
allocated space, free space and slack space.

FBI Guy - "We suspect some wrong doing on your computer, we need to take a look."
Me - "Nah, but I tell ya what, I will get my buddy to make a copy of everything on my computer, and send you a copy."
FBI Guy - "Sounds good!" (Which would never happen like this)

My data = Family Pics, 8 or 10 gigs of music, couple of games, no porn, work and personal documents, no porn.
DNC Data = Possible National Security Info

Firstly, it wasnt just the DNC that were victims, it was the American people.

Thats what the investigation is about right, the russians attack on the American system.

Or can we now just admit the FBI is only concerned with investigating for the benefit of the DNC.

Secondly, there is a difference between investigating a suspect vs. non suspect, I will give you that.

But why would shock and awe matter if any info left off from a copy of a server would be blatantly obvious?

And most importantly, the time and effort argument is not only wrong, but an extremely poor reason for the FBI to give fr why not to get access to the
server.

I cant wait for the FBI to publicly announce to the country they didnt use their preferred method of evidence collection in one of the biggest cases
in the agencies history because it would have cost the DNC a little more time and effort.

And for the DNC to announce top the American people that yes, they do think the russia investigation is the biggest thing that we need to look at, but
they couldnt spare a little time and effort to meet the FBI request to help solve the case.

And I can prove it erroneous as well.

How you may ask.

Well because the DNC had to allow crowdstrike to copy their servers, which would have taken the exact same time and effort!

In fact probably more, because they had to waste time denying the FBI, and had to actually pay crowdstrike to do it!

And as far as effecting the election, its been over since November 2016, and they STILL havent had the FBI look at it.

It is clear that the DNC had a reason for not wanting the FBI to see their server.

originally posted by: theantediluvian
First thing's first — anyone clinging to this because they believe it's strong evidence suggesting that the DNC (and DCCC) hack could have been
faked by CrowdStrike is wasting their time.

Before you "lmao"...
That´s not the problem some of us see.

The problem here is that the so called piece of evidence is a sloppy copy from the harddrive, when in reality, there´s way more data to be recovered,
intentional deleted or not.

While for any other investigation -any- a crude photocopy of the evidence is not enough, somehow here it is. They always aquire the physical evidence,
not a copy of it.

It´s like a knife that belonged to person x was used on person a by person b.
The investigators will demand the acutal knife, not the same model from the company that made it
"because it would be to much hassle to quire the actual knife, a copy will do".

It´s as simple as that.
A harddrive is not something hard to move around unlike a piece of evidence like bullets holes in a wall. Of course there it´s justified to not break
that part out of the wall but make a copy / imprint.

However, I must say that this post mostly seems unresponsive to anything in the OP.

For example, you site evidence from 2015 that russians were messing around with stuff like this.

Well then I suppose you will have to agree that because we definitely have evidnce going years back that the chinese government was trying to hack all
sorts of US servers, that the report that china got direct access to hillarys servers must be true.

Of course we both know you would rightly say that just becasue they were making attempts doesnt mean it was true in that instance.

The same here. Just because Russia was doing this stiff in in 2015 doesnt mean there were the source for the hack of the wikileaks dump.

Aside from that, I can get into the weeds again with you if you want, but you still havent given any explanation as to why the FBI didnt look at the
physical server, or why the dnc didnt leave them.

In the past, you have said that probably the DNC had something they didnt want the FBI to see on their server.

Well then that proves that the copy given by their paid for firm wasnt a complete copy,. else the FBI would still be able to see the stuff the DNC
didnt want them to see.

Firstly, it wasnt jjust the DNC that were victims, it was the ameircan people.

Thats what the investigation is about right, the russians attack on the american system.

Or can we now just admit the FBI is only concerned with investigating for the benefit of the DNC.

Secondly, there is a difference between investigating a suspect vs. non suspect, I will give you that.

But why would shock and awe matter if any info left off from a copy of a server would be blatantly obvious?

And most importantly, the time and effort argument is not only wrong, but an extremely poor reason for the FBI to give fr why not to get access to the
server.

I cant wait for the FBI to publicly announce to the country they didnt use their prefered method of evidence collection in one of the biggest cases in
the agencies history because it would have cost the DNC a little more time and effort.

And for the DNC to announce top the american people that yes, they do think the russia investigation is the biggest thing that we need to look at, but
they couldnt spare a little time and effort to meet the FBI request to help solve the case.

And I can prove it erroneous as well.

How you may ask.

Well because the DNC had to allow crowdstrike to copy their servers, which would have taken the exact same time and effort!

In fact probably more, because they had to waste time denying the FBI, and had to actually pay crowdstrike to do it!

And as far as effecting the election, its been over since novemeber 2016, and they STILL havent had the FBI look at it.

It is clear that the DNC had a reason for not wanting the FBI to see their server.

Nonono, the image is made real time you are suggesting that the FBI needs to physically take servers (as I understand). And taking them now would be
pointless, data gets overwritten. I've been trying to say over and over First = Best. Should it have been the FBI to make the images? Maybe! But they
probably had a support contract with Crowdstrike to cover Incident Response.

As to why worry if a suspect deletes data (because we can see that they did that), we would never know what that data actually was.

I don't think it is clear that the DNC was hiding anything, I don't see the evidence. I am just trying to shed light on how the process is /supposed/
to work.

Now let me put my ATS hat on and lets say there is a conspiracy. In that case I don't think that the images or the physical servers would prove
anything! Crowdstrike could hand the images off to the FBI and everybody concerned could keep claiming RussiaRussiaRussia no matter what the evidence
says. None of us have seen the actual digital evidence.

Grambler, it was a complete copy in the sense of the actual stored data.

The "incompleteness" kicks in when you consider the partly overwritten weaker datatracks are not in the copy.

Our two - three "special experts" on this just don´t get that "slack data" is still on the active track on the HDD.

I´m not talking about that "slack data" I´m talking about 2-3 times the amount of data that you can extract from that HDD with the correct hardware
and discerning algorithms.

After all it was a HDD in a server, you can bet on that nearly every physical track on every disc inside that HDD has at least a leftover from
previous, slightly offset writes.

That´s why you overwrite HDDs several times to scrap them, in the hope that with the 10th time, you got enough wobble over the original track plus
some offset to make them unuseful.

Even if you overwrite the whole HDD several times with only one single bit-value (1 or 0), you will still be able to pick that 1 you wrote on that
track here and there. The chances to get useful data out of it decrease rapidly.

However, all that is far different from "slack data" because it occurs on the physical level of the plate and not somewhere in the filesystem.

They are just not able able to make that transfer-thought, although it´s not too complicated. It´s much easier to "yo dude", "lmao" "youre fake
news" than to make that leap in the mind.

Such an operation isn´t even possible with normal actuators and heads.

Not only do you need high precision actuators to move that head, you need access to the raw datastream coming directly from the head and then you can
start to calculate the fluctuations.

After you got that correct you can discern and emulate those lost bits via math.

Like if you have a max read in from the head between 0-255 where 255 is a 1 and 0 is 0, you get values like

123
96
134
236

then you run those numbers and discern that the 96 had more 0s written than 1s over the history of writes.
You do that with multiple readouts per track.

Those numbers are just placeholders to explain it more easy.

Edit: The real magic starts when you train your algorithms (=self learning/adjusting) to make test writes with the original hardware on fresh plates
and compare it to expected data from what your algorithm spews out.

So you admit that it "maybe" should have been the FBI to copy the server, but it was ok for crowdstrike because they hd contracts for the fbi.

But as I understand it crowdstrike had been paid by the DNC to work security for them for a while, so in a sense it was servers thay were in charge of
defending that were attacked.

So allowing them to "work the crime scene" on behalf of the FBI would be like having a cop whose wife was killed work the crime scene there.

This should never happen because they are too close to the case and have biases.

In addition, we know the DNC had incentive to blame russia. We know that crowdstrike had blamed russia in other hacks and were wrong.

And again, this gives the appearance of bias or negligence bu the fbi, and they knew that it would. And yet for conveneince sake, they decided that
the publics trust in them were worth sacarificing some to not spen a little more time and effort.

Funny, they dont seem to be concerned about time and effort when it comes to going after trump.

He talks about the bits that are marked (=not allocated by the filesystems allocation table anymore) for overwrite.

The real issue is that when the head moves over the plate (with magnetic discs) it won´t hit the same spot again each time. That´s why the tracks on
the disk where the 0 and 1 are written are wider.

So when there is a 0 on that track and the head moves over it to write a 1, it may not hit the exact same spot on that track. With more precise heads,
you can discern those variations and acutally read out multiple values per track, where only one should be.

That´s how hardware recovery works.

Don´t be fooled by the "live image" and "no physical acess". All you get when you do that so called "forensic readout" is read every bit that your
head on the plate reads out through a filter on the original hardware.

That means, yes, you will get bits that are free to overwrite but that is meaningless because it´s data coming from the head and the controller on
the harddisks electronic does the exact thing I wrote above but vice-versa.

It goes:
143 -> 0
223 -> 1
127 -> 0 / 1 -> reread -> 120 -> 0
96 -> 0

What the hardware recovery does is do more readouts per track and it goes like

143 -> 00011
223 -> 11110
127 -> 01010

each 0 and 1 being history writes. Heavy math and patter recognition will do the trick in alliance with test writes and data samples to discern to
correct order. In reality it´s done with 2-3 readouts because processing power...

I really don´t think or saying that crowdstrike messed with those images. I think they will be nearly spot on with what the hardware controller spits
out into the SCSI / SATA / IDEE -whatever- bus (exluding normal read errors / misinterpretations).

What I say is, the chance to get what was really overwritten (and not just de-allocated by the filesystem for overwrite).

This content community relies on user-generated content from our member contributors. The opinions of our members are not those of site ownership who maintains strict editorial agnosticism and simply provides a collaborative venue for free expression.